Your organization is “GDPR compliant”, but do you perform penetration tests?

Today’s organizations are facing an ever-expanding set of legal and regulatory compliance requirements regarding how they must handle sensitive information, how they must ensure the resilience of their digital processes, and how they must protect the privacy of individuals. Organizations must not only operate within legal and contractual boundaries but do so in a way that creates the business value that their stakeholders expect of them.

Business risk and costs associated with not sufficiently complying with laws and regulations and focusing on information security and privacy have also increased significantly in recent years. The European Union’s General Data Protection Regulation (GDPR) is one example where European data protection authorities have been provided with powerful tools allowing them to impose sanctions on organizations that do not sufficiently complying with strict privacy principles. In addition, the risk for organization’s becoming victims of a cyberattacks that disrupts critical business processes has increased. In June 2017 the shipping giant Maersk was hit by a crypto virus attack that encrypted PCs and servers. Maersk estimates the damage for the organization to be between $200 and $300 million USD according to Financial Times. Cybercrime has become big business and cybersecurity experts have observed a professionalization of how information and hacking tools are shared freely and sold in dark corners of the internet.

Compliance is a complex topic as it touches all levels of an organization from strategic to tactical and operational processes. Many organizations are turning to best practice standards and compliance frameworks when designing their internal organization, policies, processes, and technical security measures for compliance.

Penetration testing is a term used by cybersecurity experts when talking about putting the security of computer systems, networks, or web applications to the test. The goal of the security experts is to find any vulnerabilities that could potentially be exploited by an attacker to gain unauthorized access to sensitive information or disrupt the infrastructure and the business processes that depend on it.

Results from penetration tests including any vulnerabilities found during the simulated attack are classified according to their criticality based on potential business impact and presented to the organization. This allows the organization to remove and manage vulnerabilities before they can lead to information leakage, disrupted business processes, and negative business impact.

Penetration testing – an important building block of your compliance framework

Legal and regulatory frameworks such as the European Union’s GDPR often outline general principles for protecting information rather than technical requirements or the need to perform specific tests. These principles and requirements need to be adapted by organizations and translated to concrete actions that ensure the organization’s compliance. Organizations sometimes struggle with this process as it requires knowledge and experience from different disciplines such as sector-specific and privacy laws and regulations, information security management, and IT security.

Penetration testing is an important building block of any compliance framework offering many direct and indirect benefits for organizations including: